



<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  
  <title>ALLOWED_HOSTS setting missing &mdash; Python Anti-Patterns  documentation</title>
  

  
  

  

  
  
    

  

  
  
    <link rel="stylesheet" href="../../../_static/css/theme.css" type="text/css" />
  

  
    <link rel="stylesheet" href="../../../_static/css/ribbon.css" type="text/css" />
  
    <link rel="stylesheet" href="../../../_static/css/font-awesome-4.1.0/css/font-awesome.min.css" type="text/css" />
  
    <link rel="stylesheet" href="../../../_static/css/menu.css" type="text/css" />
  
        <link rel="index" title="Index"
              href="../../../genindex.html"/>
        <link rel="search" title="Search" href="../../../search.html"/>
    <link rel="top" title="Python Anti-Patterns  documentation" href="../../../index.html"/>
        <link rel="up" title="Security" href="index.html"/>
        <link rel="next" title="SECRET_KEY published" href="django_secrect_key_published.html"/>
        <link rel="prev" title="Security" href="index.html"/> 

</head>

<body class="wy-body-for-nav" role="document">

  <div class="wy-grid-for-nav">

    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-nav-search">
        <a href="../../../index.html"> Python Anti-Patterns</a>
        <div role="search">
  <form id ="rtd-search-form" class="wy-form" action="../../../search.html" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>
      </div>


      <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
        
        
            <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../correctness/index.html"><i class="fa fa-check"></i> Correctness</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../maintainability/index.html"><i class="fa fa-puzzle-piece"></i> Maintainability</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../readability/index.html"><i class="fa fa-eye"></i> Readability</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../security/index.html"><i class="fa fa-lock"></i> Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../performance/index.html"><i class="fa fa-dashboard"></i> Performance</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../../index.html"><i class="fa fa-book"></i> Django</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../maintainability/index.html"><i class="fa fa-puzzle-piece"></i> Maintainability</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="index.html"><i class="fa fa-lock"></i> Security</a><ul class="current">
<li class="toctree-l3 current"><a class="current reference internal" href="#">ALLOWED_HOSTS setting missing</a></li>
<li class="toctree-l3"><a class="reference internal" href="django_secrect_key_published.html">SECRET_KEY published</a></li>
<li class="toctree-l3"><a class="reference internal" href="same_value_for_media_root_and_static_root.html">Same value for MEDIA_ROOT and STATIC_ROOT</a></li>
<li class="toctree-l3"><a class="reference internal" href="same_value_for_media_url_and_static_url.html">Same value for MEDIA_URL and STATIC_URL</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../correctness/index.html"><i class="fa fa-check"></i> Correctness</a></li>
<li class="toctree-l2"><a class="reference internal" href="../performance/index.html"><i class="fa fa-dashboard"></i> Performance</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../1.8/migration/index.html"><i class="fa fa-magic"></i> Migration to 1.8</a></li>
</ul>
</li>
</ul>

        
      </div>
      &nbsp;

    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
        <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
        <a href="../../../index.html">Python Anti-Patterns</a>
      </nav>


      
      <div class="wy-nav-content" id="signup-box" >
        <div class="rst-content">
          <div class="navigation" role="navigation" aria-label="breadcrumbs navigation">
  <ul class="wy-breadcrumbs">
    <li><a href="../../../index.html">Documentation</a> &raquo;</li>
      
          <li><a href="../../index.html"><i class="fa fa-book"></i> Django</a> &raquo;</li>
      
          <li><a href="index.html"><i class="fa fa-lock"></i> Security</a> &raquo;</li>
      
    <li>ALLOWED_HOSTS setting missing</li>
      <li class="wy-breadcrumbs-aside">
        
          <a href="../../../_sources/django/all/security/allowed_hosts_setting_missing.rst.txt" rel="nofollow"> View page source</a>
        
      </li>
  </ul>
  <hr/>
</div>

          <div role="main">
            
  <div class="section" id="allowed-hosts-setting-missing">
<h1>ALLOWED_HOSTS setting missing<a class="headerlink" href="#allowed-hosts-setting-missing" title="Permalink to this headline">¶</a></h1>
<p>In Django, you need to properly set the <code class="docutils literal notranslate"><span class="pre">ALLOWED_HOSTS</span></code> setting when <code class="docutils literal notranslate"><span class="pre">DEBUG</span> <span class="pre">=</span> <span class="pre">False</span></code>. This is a security mechanism. It prevents attackers from poisoning caches or password reset emails with links to malicious hosts by submitting requests with a fake HTTP Host header, which is possible even under many seemingly-safe web server configurations.</p>
<div class="section" id="anti-pattern">
<h2>Anti-Pattern<a class="headerlink" href="#anti-pattern" title="Permalink to this headline">¶</a></h2>
<p><code class="docutils literal notranslate"><span class="pre">ALLOWED_HOSTS</span></code> not set or empty, when <code class="docutils literal notranslate"><span class="pre">DEBUG</span> <span class="pre">=</span> <span class="pre">False</span></code>.</p>
<div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="sd">&quot;&quot;&quot; settings.py &quot;&quot;&quot;</span>

<span class="n">DEBUG</span> <span class="o">=</span> <span class="kc">False</span>
<span class="c1"># ...</span>
<span class="n">ALLOWED_HOSTS</span> <span class="o">=</span> <span class="p">[]</span>
</pre></div>
</div>
</div>
<div class="section" id="best-practice">
<h2>Best practice<a class="headerlink" href="#best-practice" title="Permalink to this headline">¶</a></h2>
<p>Make sure, an appropriate host is set in <cite>ALLOWED_HOSTS</cite>, whenever <cite>DEBUG = False</cite>.</p>
<div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="n">DEBUG</span> <span class="o">=</span> <span class="kc">False</span>
<span class="c1"># ...</span>
<span class="n">ALLOWED_HOSTS</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;djangoproject.com&#39;</span><span class="p">]</span>
</pre></div>
</div>
</div>
<div class="section" id="references">
<h2>References<a class="headerlink" href="#references" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li><p><a class="reference external" href="https://docs.djangoproject.com/en/1.8/topics/settings/#the-basics">Django documentation - Settings: The Basics</a></p></li>
<li><p><a class="reference external" href="https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-ALLOWED_HOSTS">Django documentation - Settings: ALLOWED_HOSTS</a></p></li>
</ul>
</div>
</div>


          </div>
          <footer>
  
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
      
        <a href="django_secrect_key_published.html" class="btn btn-neutral float-right" title="SECRET_KEY published"/>Next <span class="fa fa-arrow-circle-right"></span></a>
      
      
        <a href="index.html" class="btn btn-neutral" title="Security"><span class="fa fa-arrow-circle-left"></span> Previous</a>
      
    </div>
  

  <hr/>

  <div role="contentinfo">
    <p>
    </p>
  </div>

    <!--End mc_embed_signup-->
  <a href="https://github.com/snide/sphinx_rtd_theme">Sphinx theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a> - Last updated: Sep 29, 2020 
</footer>
        </div>
      </div>

    </section>


  </div>
  


  

    <script type="text/javascript">
        var DOCUMENTATION_OPTIONS = {
            URL_ROOT:'../../../',
            VERSION:'',
            COLLAPSE_INDEX:false,
            FILE_SUFFIX:'.html',
            HAS_SOURCE:  true
        };
    </script>
      <script type="text/javascript" src="../../../_static/jquery.js"></script>
      <script type="text/javascript" src="../../../_static/underscore.js"></script>
      <script type="text/javascript" src="../../../_static/doctools.js"></script>
      <script type="text/javascript" src="../../../_static/language_data.js"></script>

  

  
  
    <script type="text/javascript" src="../../../_static/js/theme.js"></script>
  

  
  
  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.StickyNav.enable();
      });
  </script>
   

  <!-- Place this tag right after the last button or just before your close body tag. -->
  <script async defer id="github-bjs" src="https://buttons.github.io/buttons.js"></script>

</body>
</html>